back to article High Court judge finds Morrisons supermarket liable for 2014 data leak

Morrisons is responsible for the leak of staff personal details by an ex-employee, the High Court ruled today. A group of 5,518 employees took the supermarket to court, with Mr Justice Langstaff of the High Court's Queen's Bench Division, sitting at Leeds Crown Court in England, ruling that those affected can claim …

  1. BobChip
    Pint

    Vicarious liability

    Interesting to see a finding of vicarious liability here, with the employer being held accountable for the (mis)behaviour of an employee. I'm surprised to see that this is a first, and I can see lots of opportunities to extend this to other areas such as downright incompetence etc. Lawyers will be rubbing their hands; Megacorp (fill in your preference here) will be worried.

    But 100,000 employees? Where are they all hiding when I go shopping?

    1. The Nazz

      Re: Vicarious liability

      My take on this is that Morrisons are liable for the leak of data from their control, their premises and security as much as it being an ex-employee who did it. The effect on the 100k victims would have been the same had a third party "attacker" released the data. So, as you say, just about every other megacorp ought to be similarly liable.

      re staff : Hiding? Try the Heckmondwike store, many hide there in plain sight on the tills, busy gabbing away to their colleagues whilst customers queue, longer than they should. Eventually, with negligible interaction scanning begins and you hear "that is £**.**".(1) Whatever happened to please?

      Or the supermarket slogan "the customer is king"..

      (1) tbf, it happens in a lot of other retail outlets.

      Ah, such is progress.

      1. Commswonk

        Re: Vicarious liability

        It will be interesting to see if this goes to appeal, and if so what the outcome is; I can see stocks of popcorn needing replenishment.

        I must say that on the face of it this seems unfair to Morrisons; from a news report earlier in the day the person who actually stole the information had legitimate access to it, and if that is true then he had no need to hack the IT system to gain access to it; he just logged on normally and then stole it. (My words)

        If this verdict is upheld then what happens if a company car driver (including anyone driving a car hired by his / her employer) behaves like a total prat behind the wheel and has an accident (from driving at excess speed up to death by dangerous driving)? Will the company / employer be held vicariously responsible in those circumstances?

        The basis concept of "vicarious liability" is valid enough but there have to be limits to its application; OK it's easy for me to say this because it wasn't my personal information that got published on the internet. The only circumstances where it might be "fair" would be in the case of an employee who was dismissed and then allowed back to their desk before being escorted from the premises, but even then the employee might have stolen the data in advance "just in case". IANAL but I am uncomfortable with the verdict.

        For the avoidance of doubt I have / had no connection with Morrisons or any other food company.

        1. Anonymous Coward
          Anonymous Coward

          Re: Vicarious liability

          You make a very good point. To be vicarious the judge is determining that the actions of employee are the actions of the employer by proxy. This is not really a common sense judgement as the employer would not have done what the employee did and would not condone or sanction it. It'll get overturned on appeal.

          1. gotes

            Re: Vicarious liability

            Could Morrisons file a case to recover the value of the settlement paid to the class action from the guy who nicked their data?

            Not that it'd come to much, though as usual the lawyers would still get paid.

            1. Commswonk

              Re: Vicarious liability

              No chance; he is in clink and would not have the resources to pay even if he wasn't. Morrisons would still have to pay their lawyers, though, so it would end up costing them even more.

              And the concept of a Debtor's Prison is no longer with us, which perhaps a pity.

              1. Wensleydale Cheese

                Re: Vicarious liability

                "No chance; he is in clink and would not have the resources to pay even if he wasn't."

                According to The Yorkshire Post

                Counsel Jonathan Barnes said the company had already been awarded £170,000 compensation against Skelton, and his other “victims” should be compensated too.

                Anya Proops QC, for Morrisons, said Skelton had already caused serious damage to the firm, not least because it incurred more than £2 million in costs in responding to the misuse

                Maybe he has enough equity in a house to cover the £170,000.

        2. Nick Kew

          @Commswonk

          Actually company drivers are one area where employer liability should be very firmly enforced. Otherwise you have a race to the bottom where companies put impossible-to-meet pressures on employees who drive on business, who then take risks to try and meet expectations.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Commswonk

            "Actually company drivers are one area where employer liability should be very firmly enforced."

            It's covered by HSE and if a company is found to be putting unrealistic schedules on drivers, then they can be found liable for any resultant actions that occur from this, including corporate manslaughter.

            P.8

            http://www.hse.gov.uk/pubns/indg382.pdf

    2. Anonymous Coward
      Facepalm

      Re: Vicarious liability

      It does seem to be a case by case basis. Should I "accidentally" hire a load of thugs... Ahem, "resource acquisition managers", who break into your house and steal all your stuff, then "accidentally" sell it off and pocket 50% of the takings, then "find out" only after they have retired to the Bahamas... would you expect me to be responsible, partially?

      If it is found that there is neglect, etc, then yes, the company can be responsible.

      1. Commswonk

        Re: Vicarious liability

        @ Nick Kew: I see and understand the point you are making, but...

        A & B are a married couple; each owns their own car, and both cars are fully insured with each person being a named driver on the other's policy.

        On a particular day B's car is in the garage for a routine service and asks to borrow A's car; A agrees. Unfortunately B commits a moving traffic offence (most uncharacteristic) and is handed a fixed penalty notice or is prosecuted in court.

        A also finds him / her self prosecuted as well on the grounds that it was A's car that B was driving, and thus A is held to be vicariously liable for the offence.

        Now I know that the relationship between A & B is not the same as employer / employee (at least I hope it isn't!) but the logic of this finding is near enough the same.

        Injudiciously applied the concept of "vicarious liability" begins to look like "guilt by association".

        1. Anonymous Coward
          Anonymous Coward

          Re: Vicarious liability

          I think the judge made his verdict on the fact that this type of information about employees should not be so easily downloaded/printed off and should be secure enough that no employee can get all this information.

          I imagine banks have security/processes in place to prevent people taking personal information (e.g. account details) so it wouldn't be hard for Morrisons to implement a procedure (2nd person authority maybe) to download/print/transfer employee data

  2. Goldmember

    He got 8 years....

    I'm in no way condoning his actions and I'm sure the distress caused was genuine. But 8 years... You generally get half of that for manslaughter, or for killing someone with your car. It seems a tad disproportionate.

    1. DNTP

      Re: He got 8 years....

      Be careful, if your courts keep handing out disproportionate sentences for computer crimes, you might get mistaken for the 51st United State.

    2. Anonymous Coward
      Anonymous Coward

      Re: He got 8 years....

      Maybe he got a longer sentence because their were more reasons?

    3. Jason Bloomberg

      Re: He got 8 years....

      The main reason for disparities in punishments is down to intent and remorse shown. It is not just a matter of outcome or the name we give to any particular crime.

      1. Anonymous Coward
        Anonymous Coward

        Re: He got 8 years....

        That and we are judged by society? Effect a lot of people in a small way, and it soon stacks up?

    4. NonSSL-Login

      Re: He got 8 years....

      Was thinking the same. The sentence seems overly harsh compared to other offences.

      He could have stabbed the person who stabbed him and gotten off with much shorter jail time or maybe community service. That might have been more satisfying too!

  3. Snorlax
    Headmaster

    Vicarious Liability?

    It's been a while since I looked at a tort law book, but vicarious liability is fixed on an employer when the employee does something negligent in the course of his employment.

    It's debatable whether the guy was acting in the course of his employment when he stole data to discredit his (ex-) employer. Sounds more like somebody 'on a frolic' to me, but I'm no High Court judge...

    1. Am I Paranoid Enough?

      Re: Vicarious Liability?

      Snorlax:

      "It's been a while since I looked at a tort law book, but vicarious liability is fixed on an employer when the employee does something negligent in the course of his employment."

      Without seeing court transcripts, my best guess would be that vicarious liability was triggered due to the failure of the employer to take all reasonable and practical measures to prevent this foreseeable incident from occurring and any reaction once the breach has been detected.

      Moreover, did their action or inaction facilitate the theft? Such as;

      - why did this person have access to all those different items of data?

      - how did he get the data out?

      - were all reasonable steps to prevent unauthorised data transmission taken?

      - what provisions were there to ..., etc?

      I know it is a fair few decades since I studied law, but IIRC the example given below may help...

      If I run a bank and leave cash on the counter it won't be there for long. SOP's to protect the cash will in place so it is negligence by the teller. If the SOP says it is OK to leave it there until the teller has opened the drawer or safe, then the bank is apportioned blame (vicariously liable), as its' action or inaction allowed to theft to occur.

      Perhaps with the forthcoming GDPR the financial implications may focus attention.

      1. Snorlax

        Re: Vicarious Liability?

        "Without seeing court transcripts, my best guess would be that vicarious liability was triggered due to the failure of the employer to take all reasonable and practical measures to prevent this foreseeable incident from occurring"

        Nothing to do with reasonable foreseeability. Langstaff J's conclusion was apparently based on Lord Toulson's reasoning in Mohamud:

        "Although what he did was a gross abuse of his position, it was in connection with the business in which he was employed to serve customers, a position which his employers had entrusted to him, making it just that as between them and the Claimant they should be held responsible for the employee’s abuse of it." <-- Toulson was referring to an employee who took a dislike to a customer and beat the crap out of him btw.

        Was Skelton acting 'in connection with the business in which he was employed' when he decided to steal the data? I'd say no; once he stole the data he had gone completely outside the scope of his duties.

        Anyway who knows? Morrisons have been granted leave to appeal, so hopefully sense will prevail further up the chain.

  4. Tom Paine

    As a security grunt what concerns me

    Had the data leak not been traced to Mr Skelton, would Morrison's still be on the hook for vicarious liability?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022